Using dropbox as a repository for an application

new_to_dreamland · ‎02-13-2023

Hello all,

My team and I have some questions around the API features offered by Standard/Advanced plan.

Currently, we are thinking to build an application where the end users can upload documents (pdf/photos, etc.) to our app and Dropbox will be the storage.

We are planning something like this below.

End users（approx. 1000 users）>>> App using DBX platform>>> (The App accesses Dropbox on behalf of all end users and takes actions on each user's folders and files via API）>>> DropBox

I have confirmed that it is possible for an end user to upload files to the app with a chat agent...

I also checked in the API documentation and found out there are many actions beside “upload”, so end users can edit/delete/replace a new file as they like. Seeing "Take actions on files and folders—like creating, reading, editing, moving, and deleting—with the Dropbox Files API..." from https://www.dropbox.com/developers, I feel like it is possible to do what we are planning to do...

Does anyone have done somethig similar? Is this use case rare?

Greg-DB · ‎02-14-2023

As you found, Dropbox does offer an API you can use for listing, uploading, and downloading files, among other operations, so that is possible.

I see you already found the developers site. These guides in particular may be useful:

One point of clarification though, as it's not clear to me from your description, is whether you mean to have all of your end-users each connecting to your one Dropbox account, or each to their own Dropbox accounts. The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. While it is technically possible to always connect to just one account for all users, we do not officially support this, for various technical and security reasons.

new_to_dreamland · ‎02-14-2023

Thank you for the reply.

I was thinking all of end users who are going to use our app will not need a dropbox account, and they can upload files via dropbox connecting to our dropbox account through the app. In such case, as you mentioned, it is technically possible but not officailly supported? Am I correct?

Meaning that if I want to create an app and use Dropbox as the storage, the end users must have a dropbox account to upload files?

If the intention was to have the app end users to login to their dropbox account and interact with their own files, can the users just use free basic account?

Здравко · ‎02-15-2023

@new_to_dreamland wrote:
...
I was thinking all of end users who are going to use our app will not need a dropbox account, and they can upload files via dropbox connecting to our dropbox account through the app. In such case, as you mentioned, it is technically possible but not officailly supported? Am I correct?
...

Hi @new_to_dreamland,

Yes, you are correct. For a standalone local application it's never good idea to use connection to other Dropbox client account (in particular your clients to use your connection) directly. Once such a connection is established, connected application (and the user driving it) has unlimited access to all resources accessible for the application in your account. While you can use application folder to limit account access (access you clients have), it's impossible to restrict access between clients resources. That can be serious security risk! 👹 That's why in spite technically possible, it's neither supported nor a good idea at all (it's your responsibility for possible harm if you decide to use it).

@new_to_dreamland wrote:
...
Meaning that if I want to create an app and use Dropbox as the storage, the end users must have a dropbox account to upload files?
...

It's not a must but possible way. Actually you can let user access safely your account, but not directly using Dropbox API connection. If you build your server side application (or part of the application), then the server code (build and driven by you) will provide access to the account and your users will be able access there according the application design (on your strict control). In such a way users don't need any Dropbox account at all. 😉

@new_to_dreamland wrote:
...
If the intention was to have the app end users to login to their dropbox account and interact with their own files, can the users just use free basic account?

The users can have whatever account that satisfies their needs (including free one if suitable). To interact with your account content you and your users should have shared folders in such case. Take in mind that shared content counts to all accounts it's shared to (not only to the owner's account - Dropbox drawback). So, your clients should have enough capacity to keep least the shared content in their accounts. Good planning/designing the sharing process may decreases needed capacity. For instance if your users need access to different content (eventually overlapping partially), instead of sharing one big block of data to everyone, you can "dissect" the initial data block and share only needed data pieces to one or more users that actually need them. So, you can avoid users complain about capacity overload and to decrease users account requirements. 🙂 Advantage of such a solution is that you don't need server side application (or again part of it) and your application can work entirely client side without security compromise.

Hope this gives direction.

new_to_dreamland · ‎02-15-2023

@Здравко

Thank you for the reply. It is really insightful.

Just to confirm what you wrote below..

Actually you can let user access safely your account, but not directly using Dropbox API connection. If you build your server side application (or part of the application), then the server code (build and driven by you) will provide access to the account and your users will be able access there according the application design (on your strict control). In such a way users don't need any Dropbox account at all.

If I understand you correctly, if we are able to make an application that have proper control carefully, end users can access our Dropbox account embedded in the application where they can upload/edit/delete files of what they upload. In such case, the application connected with our account will communicate with Dropbox via API to make such actions.

For instance, if we control from the application side such using the metadata attached toe the files, will that be possible?

And what if, somehow the end users get to know the ID/PW of the account, is there a way to prevent the end users from logging in Dropbox?

I see there is network control feature provided in Enterprise plan. https://help.dropbox.com/security/network-control?fallback=true

How about standard/advanced plan?

@Greg-DB Will the above work?

Здравко · ‎02-15-2023

Hm..🤔 Seems, I was not clear enough. I will try make it clearer.

@new_to_dreamland wrote:
...
If I understand you correctly, if we are able to make an application that have proper control carefully, end users can access our Dropbox account embedded in the application where they can upload/edit/delete files of what they upload. In such case, the application connected with our account will communicate with Dropbox via API to make such actions.
For instance, if we control from the application side such using the metadata attached toe the files, will that be possible?
...

As far as I can see, you mean server side application (or server side part of the application). I suppose with "embedded" you mean provided credentials to the server side of your application by you. Yes, using those credentials, your application can perform everything particular user may need under your control. Just to add here, you're gonna need to implement your own authentication mechanism for your users, to be able identify who and what is going to do and so, on that base, make control. Again only server side the application is connected to your account! Don't do it on client side. If with "application side" you mean client side, accessing all data, from your client side part of the application (either standalone or web), has to be performed through connection to the server side part, not directly to Dropbox.

@new_to_dreamland wrote:
...
And what if, somehow the end users get to know the ID/PW of the account, is there a way to prevent the end users from logging in Dropbox?
...

In all cases users should know only their own Dropbox account ID/PW, if any. You shouldn't provide such a information to any user (otherwise the user will be able impersonate as you)! You should avoid providing not only ID/PW, but any kind of other authorization information, like different types of tokens.

As I said, you need to realize your own authorization system to distinguish different users. To be able use Dropbox for such purpose you will need to expect users to have their own Dropbox account everybody (i.e. the other variant described in my previous post).

Additional protection can be provided by Dropbox against some network risks, but it's something different.

Hope this sheds some more light.

Greg-DB · ‎02-15-2023

@new_to_dreamland Using a single Dropbox account for all end-users of your app is possible but not officially supported or recommended. I see Здравко gave you some helpful guidance, such as how you can allay some of these concerns by using your own server to mediate access, though it still wouldn't be officially recommended/supported.

And yes, if you were to have your end-users each use their own Dropbox account to store their files, the Dropbox accounts can be of any type, free or not.

In any case, you shouldn't be share any Dropbox credentials, such as username/password.

The network control feature is only available to Enterprise teams, not other plans. It would also only control "which Dropbox accounts can be used on their corporate network"; it wouldn't prevent accounts from being accessed from other locations.

Using dropbox as a repository for an application

Using dropbox as a repository for an application

Top contributors to this post